New ISO27000 series standard  will replace ISO17799





Compliance Areas



organized into ten major sections:

Sarbanes-Oxley Act of 2002
Payment Card Industry
home mail contact Us site map

Gramm-Leach-Bliley Act, (GLBA), 1999Title V – Privacy,

Subtitle A – Disclosure of Nonpublic Personal Information, Sec 501-503, Protection of nonpublic personal information. Privacy Policy Rule (provide each consumer with a privacy notice) and Safeguards Rule (written information security plan).
Subtitle B - Fraudulent Access to Financial Information, the law that prohibits pretexting - the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information.

The privacy protections are codified at 15 USC § 6801-6810.

HIPAA 2003 security & privacy of individually identifiable information


Sarbanes-Oxley Act of 2002 - section 404b internal controls and reporting


California’s 2003 SB-1386 personal information / incident reporting regulations


Payment Card Industry (PCI) Data Security Standard v1.1 2006


I. Business Continuity Planning
Counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.


II. System Access Control
1) To control access to information.

2) To prevent unauthorized access to information systems.

3) To ensure the protection of networked services.

4) To prevent unauthorized computer access.

5) To detect unauthorized activities.

6) To ensure information security when using mobile computing and networking facilities.


III. System Development and Maintenance
1) To ensure security is built into operational systems.

2) To prevent loss, modification or misuse of user data in application systems.

3) To protect the confidentiality, authenticity and integrity of information.

4) To ensure IT projects and support activities are conducted in a secure manner.

5) To maintain the security of application system software and data.


IV. Physical and Environmental Security
To prevent unauthorized access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.


V. Compliance
1) To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements.

2) To ensure compliance of systems with organizational security policies and standards.

3) To maximize the effectiveness of and to minimize interference to/from the system audit process.


VI. Personnel Security
To reduce risks of
human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; to minimize the damage from security incidents and malfunctions and learn from such incidents.


VII. Security Organization
1) To
manage information security within the Company.

2) To maintain the security of organizational information processing facilities and information assets accessed by third parties.

3) To maintain the security of information when the responsibility for information processing has been outsourced to another organization.


VIII. Computer & Operations Management
1) To ensure the correct and secure operation of information processing facilities.

2) To minimize the risk of systems failures.

3) To protect the integrity of software and information.

4) To maintain the integrity and availability of information processing and communication.

5) To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

6) To prevent damage to assets and interruptions to business activities.

7) To prevent loss, modification or misuse of information exchanged between organizations.


IX. Asset Classification and Control
To maintain
appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection. All assets must be formally accounted for and assigned a specific owner who is responsible for maintenance and security controls.


X. Security Policy
To provide management
direction and support for information security.


Section 404 -- Management Assessment of Internal Controls

a. Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall--

    1. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

    2. contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

b. Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.


PCI DSS 1.1 (2006) is the current standard and should be followed by Retailers or anyone who transports payment card information.

PCI DSS 1.0 (2004), based on the VISA Cardholder Information Security Program (CISP), came out in late 2004, was supposed to be in effect for Tier 1 Merchants by June 2005, and was not revised until Sept 2006. Based on that timetable, PCI does not seem to come out with new specs every year.

PCI plans to incorporate the Visa Payment Application Best Practice (PABP) guidelines into something called the PCI Payment Application Security Standard (PASS) which should go into effect in 2008.

Those guidelines are around Payment devices and Payment systems and not really about the network that processes or transports the data. Companies like Verifone, Ingenico, and Hypercom, or any others that manufacture certified payment devices (with built in encryption) will be asked to follow the new, stricter PASS guidelines.

PCI DSS - Payment Card Industry (PCI) Data Security Standard

© copyright 2008 created by